Professional Documents
Culture Documents
Pes CVS GM18 8-7 B117
Pes CVS GM18 8-7 B117
Pes CVS GM18 8-7 B117
Panelists:
C. Liu, Virginia Tech
P. Sauer, University of Illinois
G. Johnson, Ames Laboratory, DOE
IEEE PES General Meeting, Portland, OR, Aug. 2018
Other Corporate
Intranets
Transmission line
Transmission line
User
Interfaces Dispatcher
Primary Control
Center Network
... Breaker ... Breaker
Training
` ` Simulators Busbar
Corporate WAN
Vendor
Personnel or
... Breaker ... Breaker
Firewall Site Engineers
Firewall
Secondary Breaker Breaker Breaker Breaker Breaker Breaker
Modem
Dispatcher Control Center
Training Network Frame Relay Network / Hackers
... ... ... ... ... ...
` Simulators
Radiowave / Dedicated Line
Feeder Feeder Feeder Feeder Feeder Feeder
User
Interfaces
Modem
` Application SCADA Database Data
Servers Servers Servers ` Concentrator Firewall
User
Interfaces
Router
Modem
Substation Network
Modeling Integrated Cyber-Power System
Routers
Routers RTU Firewalls CC TO
Firewalls CC TO Servers Servers Servers
RTU Servers Servers
Servers
Substation 1 ICT model Substation m ICT model Substation m+1 ICT model Substation n ICT model
Engineering Station Engineering Station Engineering Station Engineering Station
Substation Level at Workstation HMIs WEB HMI Workstation HMIs WEB HMI Workstation HMIs WEB HMI Workstation HMIs WEB HMI
Cyber System Layer Router Router Router Router
Firewall Firewall Firewall Firewall
8 7 6 U16 kV
9 5
G5
Power System Layer 10 16 U16
G4
11 4
12
13 t
14 15
tm t sec
1 2 3
G2 G3 t0 t1 t2 tk −1 tk
G1
Cyber- Transmission
Operator’s Console
SIEMENS Spectrum Power
TG, SICAM PAS
SCADA Mimics
Physical OPC
Real-time Database
State, Control
Client Variables
System Matrikon OPC Real-Time Grid
Simulation Server
Tool OPC State, Control
Supervision &
Control, EMS Tools
Cyber System Client Variables
and Transmission MATLAB Simulink,
Operator Layers SimEvents, OPC
Toolboxes
SCADA
Performances
OPC State, Control
Client Variables
Matrikon OPC
Cyber Simulation Server Communication
Attacks OPC State, Control
Security
DIgSILENT
Power System Client Variables
PowerFactory
Layer
& Power Grid Static and Dynamic Models
Impact
Analysis
6
• Attack path on graph is identified as the series of all attacks steps taken to
compromise main target, e.g., RTU, and operate power devices
– All ICTs are vulnerable to cyber attacks
– An attack step takes t hours to compromise an ICT device
– Penetration tests are used to assess vulnerabilities and penetration times
7
Comm. Comm.
Server 1 Server 2
tattack 2
Workstation Router/
HMI 1 HMI 2 Web HMI
Remote Access Firewall
tattack 1
nMC
Start path
tattack = tattack
delay
,i
i =1
• Attack efficiency to disrupt system operation is the success rate for cyber attack
path multiplied by the impact index on the power grid
j = attack
path
, j j
8
Simulation Results
Simulation Results
Simulation Results
• Cyber attack at substation 3
60.10
60.08
60.06
60.04
60.02
60.00
59.98
0 5 10 15 20 25 30 35 40 45 50
G2: Electrical Frequency in Hz [s]
12
Simulation Results
• Attack efficiencies to disrupt power system secure operation
Intrusion into a Substation Network
Other Corporate
Intranets
Transmission line
Transmission line
User
Interfaces Dispatcher
Primary Control
Center Network
... Breaker ... Breaker
Training
` ` Simulators Busbar
Corporate WAN
Vendor
Personnel or
... Breaker ... Breaker
Firewall Site Engineers
Firewall
Secondary Breaker Breaker Breaker Breaker Breaker Breaker
Modem
Dispatcher Control Center
Training Network Frame Relay Network / Hackers
... ... ... ... ... ...
` Simulators
Radiowave / Dedicated Line
Feeder Feeder Feeder Feeder Feeder Feeder
User
Interfaces
Modem
` Application SCADA Database Data
Servers Servers Servers ` Concentrator Firewall
User
Interfaces
Router
Modem
Substation Network
Potential Threats in a Substation
Based on IEC 61850
Compromise
user-interface User-
GPS
Station interface
Level
Gain access
to bay level Change
devices device
settings
Bay
Level
IED Relay PMU
Process Generate
Modify
Level GOOSE Actuator Merging fabricate
message Unit d analog
Circuit values
Breaker
CT and VT
Integrated Anomaly Detection System
Consequence of GOOSE Based Attack
Host-Based Anomaly Detection
▪ Detection of temporal anomalies is performed by comparing consecutive row
vectors representing a sequence of time instants
Anomaly Detection
System
Coordinated Cyber Attack
City 3
City 1
1
Cascading 2
Events
3 City 4
City 2
21
Coordinated Cyber Attack Detection System (CCADS)
Similarity index
23
Intrusion Detection System
24
Further Information
[1] C. W. Ten, C. C. Liu, and M. Govindarasu, “Vulnerability Assessment of Cybersecurity for SCADA Systems,”
IEEE Trans. Power Systems, Nov. 2008, pp. 1836-1846. [4] C. W. Ten, J. Hong, and C. C. Liu, “Anomaly
Detection for Cybersecurity of the Substations,” IEEE Trans. Smart Grid, Dec 2011, pp. 865-873.
[2] C. C. Liu, A. Stefanov, J. Hong, and P. Panciatici, “Intruders in the Grid,” IEEE Power and Energy Magazine,
Jan/Feb 2012, pp. 58-66.
[3] J. Hong, C. C. Liu, and M. Govindarasu, "Integrated Anomaly Detection for Cyber Security of the
Substations," IEEE Trans. Smart Grid, July 2014, pp. 1643-1653.
[4] A. Stefanov, C. C. Liu, and M. Govindarasu, "Modeling and Vulnerability Assessment of Integrated Cyber-
Power Systems," Int. Transactions on Electrical Energy Systems, Vol. 25, No. 3, March 2015, pp. 498-519.
[5]C. C. Sun, A. Hahn, and C. C. Liu, “Cyber Security of a Power Grid: State-of-the-Art,” Int. J. Electrical and
Power and Energy Systems, pp. 45-56, 2018.
[6] J. Xie, A. Stefanov, and C. C. Liu, "Physical and Cyber Security in a Smart Grid Environment," Wiley
Interdisciplinary Reviews Energy and Environment, WIREs Energy Environ 2016. DOI: 10.1002/wene.202
[7] C. C. Sun, C. C. Liu, and Jing Xie, "Cyber-Physical System Security of a Power Grid: State-of-the-Art,"
Electronics, 2016, DOI: 10.3390/electronics5030040.
[8]C. C. Sun, J. Hong, and C. C. Liu, "A Coordinated Cyber Attack Detection System (CCADS) for Multiple
Substations," 2016 Power System Computation Conference (PSCC), Genoa, Italy, June 2016.
[9] Y. Chen, J. Hong, and C. C. Liu, "Modeling of Intrusion and Defense for Assessment of Cyber Security at
Power Substations," IEEE Trans. Smart Grid, DOI 10.1109/TSG.2016.2614603.
[10] J. Hong and C. C. Liu, "Intelligent Electronic Devices with Collaborative Intrusion Detection Systems,"
Accepted for publication in IEEE Trans. Smart Grid.
[11] C. C. Liu, A. Stefanov, J. Hong, "Cyber Vulnerability and Mitigation Studies Using a SCADA Testbed,“ IEEE
Power and Energy Magazine, Jan. 2012.
[12] S. K. Khaitan, J. D. McCalley, and C. C. Liu (Co-Editors), Cyber Physical Systems Approach to Smart
Electric Power Grid, Springer, 2015.
1
Author:
Tim Yardley
Primary Committee:
IEEE Smart Grid Webinar Series
3
Author:
Manimaran Govindarasu
Primary Committee:
IEEE Smart Grid Webinar Series
4
Author:
Anurag Srivastava
Primary Committee:
IEEE Smart Grid Webinar Series
5
Academic Team Members: Lalitha Sankar (ASU), Manimaran Govindarasu (ISU), and Oliver Kosut (ASU)
Industry Team Members: Reynaldo Nuqui (ABB), Jay Giri (Consultant), Sharon Xia (ALSTOM), Evangelos
Farantatos (EPRI), Mahendra Patel (EPRI), Euguene Litvinov (ISONew England), Mark Westendorf (MISO),
Benjamin Kropowski (NREL), Maurice Martin (NREL), Erfan Ibrahim (NREL), George Stefopoulos (NYPA,
Harvey Scribner (SPP), and Brandon Aquirre (Tri-State)
6
Academic Team Members: Anurag Srivastava (WSU) and Adam Hahn (WSU)
Industry Team Members: Brian Miller (NREL), Glen Chason (EPRI), Dan Ton (DOE),
Evangelos Farantatos (EPRI), Tony Thomas (NRECA)
7
https://cred-c.org/
Provides links to the content of industry workshops
from 2016, 2017, information on 2018
Topics
• Why Information Sharing?
• Cyber Fed Model (CFM) Background
• Sharing Considerations
• Existing Options
• Last Quarter-Mile Toolset (LQMT)
• Flexible Transform
3
• Local Uses:
– Operational Deterrence – update security controls and monitoring
– Strategic Design – use as inputs for mitigations and design of security
architecture
• Community Benefits:
– Reduce long term risk for the sharing community
– Increase effort and costs of an attack
– Impede attack progress within a community in near real-time
4
• Use Cases
– Defense: rapid M2M exchange of bad
actor indicators
– Sit. Awareness: site/enterprise https://cfm.gss.anl.gov/
details on bad actor interactions
5
CFM Architecture
6
• Common operational
environments leads to common
threats
Community Options
• Open Source Feeds
• Commercial Feeds
Usage Readiness
• Cyber threat information is just one piece of the puzzle
LQMT
• Problem: Loading the dynamic threat information into analysis and
protection tools is cumbersome and problematic
– Organizations have their own tools (firewall, SIEM, etc.)
– Tools have different interfaces, protocols, and formats
– Threat information is expressed in differing formats
• Goal: Translate the input formats into a common representation and send
to output modules for updating end points.
https://github.com/anl-cyberscience/LQMToolset
13
FLEXIBLE TRANSFORM
16
Flexible Transform
• Problem: Using data is difficult when every contributor does not speak a
common language
– Exponentially increasing development effort to support new formats
– Loss of meaning and context between the formats
https://github.com/anl-cyberscience/FlexTransform
17
• Components of a format
– Syntax – CSV, XML, JSON
– Schema – Valid terms, the data
represented, and restrictions on use
– Semantics – Meanings of the terms
Thank You!
Contact
Grant Johnson
grantj@ameslab.gov
www.ameslab.gov
CFM Contact
Argonne National Lab
fedhelp@anl.gov
https://cfm.gss.anl.gov